Russia not the first to see Skype as a security threat

In partnership with Prime Minister Vladimir Putin's political party, a Russian …

VoIP services like Skype and Vonage radically changed the US communication landscape years ago and ignited a telecom race to catch up. The most powerful business lobbying group in Russia, partnering with Prime Minister Vladimir Putin's political party, is hoping to avoid the same fate with "legal safeguards" for home turf competition. Lobbyists also cite national security concerns, hinting that Russia should join China by spying on conversations over Skype and similar services.

Called the Russian Union of Industrialists and Entrepreneurs (RUIE), the 1,000-member strong business lobby organization recently announced that it wants government restrictions on IP telephony services from foreign countries like Skype and ICQ. RUIE believes that the VoIP market is now growing faster than traditional telecoms, estimating that by 2012, 40 percent of Russia’s voice conversations will travel through Internet tubes. Unsurprisingly, the group—composed of telecom executives and other members of private and state-run businesses—wants to "protect domestic producers in [the telecom market]," reads a loose Google translation of RUIE’s official statement.

RUIE also warns that "without control by the States, security concerns [will inevitably be triggered]." As Reuters reports, delegates at the meeting state that "it has been impossible for police to spy on VoIP conversations." Perhaps these statements are red herrings intended to shift focus towards anything but the assault on Russian telecoms’ bottom lines. But these statements touch on the issue of Skype and spying on foreign consumers—after all, the company has done it before.

A server misconfiguration in October 2008 allowed researchers to discover that Skype was providing China with text communication logs. Created in a partnership between Skype and TOM Online, Skype's partner in China, the logs revealed typical things like the monitoring of "sensitive" topics, but also that specific users were targeted for further monitoring. "Millions" of records found on publicly (and briefly) accessible servers contained IP addresses, usernames, and landline phone numbers, as well as details of users outside of China who communicated with TOM/Skype users in China.

According to researchers, many of the leaked logs contained none of the typical hot-button topics like Taiwan independence or opposition to the Communist Party of China. Apparently, if you ever talked about flagged topics in China or with one of its residents, you qualify for TOM/Skype's list of folks to spy on.

At the time, an eBay representative would only talk about the security breach that led to the leaked logs, stating that swift, ironic action will be taken to protect the privacy of these spy logs. When Ars asked about the RUIE's implications of working with Russia to spy on its citizens, a Skype representative would only say, "Where technically possible, we work with law enforcement."

When Ars asked about the RUIE's implications of working with Russia to spy on its citizens, a Skype representative would only say, "Where technically possible, we work with law enforcement."

Of course, while it is always pleasantly surprising when businesses do otherwise in general it is natural to expect them to fold immediately. The key line there is "where technically possible," which is why one should always be very, very suspicious when it is technically possible to violate security when it need not be. All VoIP code should be open source, and while a central service might help act as a directory or handle proxies if necessary the ultimate result should be a direct encrypted connection between the parties wishing to talk. It simply should not be technically possible to get anything out of it, which thus makes it easy for any company managing the service. When law enforcement demands records they can, with complete and utter honesty, tell them that it's impossible, and that it's impossible to force them to do otherwise.

In general, it's always good to assume that if a given power exists it will be used sooner or later for anything someone can come up with for it. This happens with laws in particular all the time. The only true counter is to make sure the power simply doesn't exist at all. If it's even possible for Skype to do any surveillance then that is a big strike against the service. If they're truly secure and reliable then end users don't have as much to fear. But it's always going to be a risk with a proprietary solution of that sort.

Originally posted by xoa:Of course, while it is always pleasantly surprising when businesses do otherwise in general it is natural to expect them to fold immediately. The key line there is "where technically possible," which is why one should always be very, very suspicious when it <em>is</em> technically possible to violate security when it need not be. All VoIP code should be open source, and while a central service might help act as a directory or handle proxies if necessary the ultimate result should be a direct encrypted connection between the parties wishing to talk. It simply should not be technically possible to get anything out of it, which thus makes it easy for any company managing the service. When law enforcement demands records they can, with complete and utter honesty, tell them that it's impossible, and that it's impossible to force them to do otherwise.

In general, it's always good to assume that if a given power exists it will be used sooner or later for anything someone can come up with for it. This happens with laws in particular all the time. The only true counter is to make sure the power simply doesn't exist at all. If it's even possible for Skype to do any surveillance then that is a big strike against the service. If they're truly secure and reliable then end users don't have as much to fear. But it's always going to be a risk with a proprietary solution of that sort.

Got to love it when governments put their citizens and companies at a competitive disadvantage to preserve legacy companies profit margins. You only have some many fingers you can stick in the dike guys...and if you make it expensive enough of cumbersome enough to do business in your neck of the woods the business will go elsewhere.